How to balance security and privacy in BYOD policies

Nov. 22, 2023
When corporate security policies clash with privacy needs, the answer often lies in compromise

One of the toughest challenges today’s companies face when deciding whether to allow employees or third-party partners to use personal devices for work is straddling the line between security and privacy. Corporate-issued devices are typically configured via Mobile Device Management (MDM) software that can install and update business software and security tools like endpoint detection and response (EDR), and configure device security controls like firewalls and encryption. MDM is also used to remotely wipe corporate data from lost or stolen devices. 

On the employee side, the pandemic accelerated the transition to remote and hybrid work, as well as anytime, anywhere collaboration, so it’s not unusual for work to be done from any number of different devices. While MDM can provide significantly higher levels of security hygiene, it is not a viable option in organizations where employees don’t want to install it on their personal devices. Additionally, many organizations work with external contractors, consultants or freelancers in a variety of capacities who require access to internal systems but are not willing to install MDM on their own devices or the devices their primary employer provided. 

Ensuring Company Policy is Realistic

For both contractors and employees, the reluctance (or outright opposition) to subject their own devices to MDM often boils down to privacy – no one likes the idea of IT monitoring the sites they visit, links they click or other activities they engage in on their own time. Or they worry – for good reason – about losing personal information, files, or photos due to IT’s “wipe” functions. Yet companies need to ensure that risky personal devices, like “jailbroken” phones, aren’t able to access their systems. So, what can be done when you reach this impasse? 

When corporate security policies clash with privacy needs, the answer often lies in compromise, but this is not always the case. Companies will have different Bring Your Own Device (BYOD) policies depending on the nature of their work and the level of risk they’re willing to take. 

Some companies – especially in regulated sectors, and those that store highly sensitive data on endpoints – have zero appetite for risk and implement a black-and-white policy against personal devices for work use. Consider healthcare, for example: If a nurse or doctor accidentally leaves their corporate-issued device on the train, their organization has the control to keep protected health information (PHI) and other confidential data from falling into the wrong hands. However, if they lose their personal device that also happens to be storing PHI, with no way to remotely wipe the device, this would now be a reportable HIPAA event – a costly liability for any healthcare facility. 

For companies with strict zero-tolerance policies, it hasn’t always been possible to enforce these rules or prevent the use of unauthorized devices for work purposes, especially in the modern cloud world. After all, what’s to stop an employee from going to a login page, inputting their username and password, clicking a multi-factor authentication (MFA) push notification and gaining access from any device? There are multiple stories of executives accessing critical cloud applications from “previously compromised” devices like a hotel business center computer. Luckily, modern authentication solutions make it possible to ensure zero-tolerance policies are being met. 

While MFA has historically enabled companies to validate user identity only, modern MFA now exists that can confidently validate user identity, ensure that employees are logging in from authorized devices and also establish whether the device configurations meet company-defined policies. When setting up a new device, modern MFA solutions can use public/private key cryptography, store private keys in Trusted Platform Modules (TPM) hardware and effectively bind the user identity to the authorized device. By binding an identity to the device, companies can verify that only authorized users and approved devices are able to gain access.  

Flexibility is Key

However, more often than not, companies will need to employ more flexible BYOD policies to meet employees and contractors in the middle. With modern MFA solutions that provide risk-policy-based device trust, organizations can dial in device security posture checks for personal or contractor devices that are in line with the risk of specific applications. They can establish more lenient device security posture requirements for low-risk apps or apply more stringent policies for devices that require access to higher-risk systems.

As we all know, things change rapidly in cybersecurity. Thus another critical component of a modern MFA is that it is able to validate user identity and assess device trust on a continuous basis. Let’s say, for instance, that a personal device has the correct security controls at the time of authentication, but the owner turns off the firewall or jail breaks the device after logging in. Without technology to constantly monitor changes to device security posture, a lower-risk device can become high-risk or even compromised quickly. A final important requirement for modern MFA is to ensure a suspicious or insecurely configured device can be automatically quarantined or dropped off networks, to ensure a potential attacker can’t move laterally. 

With contract work on the rise and employees expecting flexibility and privacy, companies need to determine their risk appetite around personal device usage and set policies that reflect their stance and level of risk tolerance. And wherever their BYOD policy lands on the spectrum of “zero tolerance” to “flexible with guardrails,” strong authentication solutions based on zero trust principles can help them enforce their policies and shut down risks before they turn into larger security issues. 

Jasson Casey is the Chief Executive Officer at Beyond Identity, a leading provider of passwordless, phishing-resistant MFA. Prior to his current role, he served as Chief Technology Officer at Beyond Identity and SecurityScorecard, VP of Engineering at IronNet Cybersecurity, and as Founder and Executive Director of both Flowgrammable and Compiled Networks. He received his bachelor’s degree in computer engineering from The University of Texas at Austin and holds a Ph.D. in computer engineering from Texas A&M University.